DNS over TLS Service Correctly Configured

Is my DNS over TLS Service correct: Accept port 853 and Drop port 53

Seven Name Servers in 5 countries
DNS Service Group: DNS over TLS port 853, DNS TCP and UDP port 53 > Only BLUE Wireless
Firewall Rules: BLUE > RED (DNS) ACCEPT
Outgoing Firewall Access INTERFACE BLUE 53 > Red 53 DROP
Comments or recommendations?

Hi @anon70097136 it seems you’re confused about the FW recommendations for IPFire, pay attention on the outgoing traffic, which is from IPFire itself, so the rules for NTP, ICMP and DoT should be in the respective place, else the policy for this outgoing traffic is Denied.

While DNS, I remember, DoT is only on port 853 TCP and consider the IPFire system is who query DoT. Try seeing the DNS traffic on every interface and you’ll note that in blue0 all DNS queries are in plain text, for it you can use tcpdump or tshark.